There was a timely reminder from Lookout Security on Wednesday that not everything on official app stores is legitimate software, after the security firm revealed it found 13 apps containing the Brain Test malware on Google Play.

The malware was first spotted by check point back in September using a range of privilege escalation exploits to install a rootkit on victim devices to achieve persistence.

Its primary goal is to download and install additional APKs as per the instructions coming from the C&C server, with the ultimate aim of making money for its creator by guaranteeing application installs for eager developers.

“There has been an emergence of entities, primarily originating from China, that have been selling guaranteed application-installs to developers,”explained Lockout senior security analyst, Chris Dehghanpoor.

“In order to facilitate the installs, they rely on compromising a large number of devices and then pushing the installs to those devices. Similar tactics have been around for many years in the PC world, and we’ve seen multiple Android malware families take a similar approach.”

Where Brain Test differs, however, is being able to trick Google into allowing it on the official Play store—in some cases obtaining over 500,000 downloads and average ratings of 4.5.

“The explanation for the apps’ high ratings and hundreds-of-thousands of downloads is the malware itself. First off, some of the apps are fully-functioning games. Some are highly rated because they are fun to play,” said Dehghanpoor.

“Mischievously, though, the apps are capable of using compromised devices to download and positively review other malicious apps in the Play store by the same authors. This helps increase the download figures in the Play Store.”

As such, the malware might be thought of more as a nuisance than a threat to user security or privacy—especially as it will copy files to the /system partition on rooted devices in an effort to ensure persistence even after a factory reset.

However, the design of the malware could make it possible for its developers to use compromised devices for “more nefarious purposes” if desired, Lookout claimed.

Google removed the offending 13 apps from the Play store promptly once notified by the security vendor. But the incident should serve as another shot across the bows that even official stores aren’t immune from malware, although it is relatively rare these days.

Since last summer’s Stagefright vulnerabilities toppled the Android world for a few weeks, researchers inside and out of Google have been taking a close look at not only the maligned media playback engine, but also at Mediaserver where it lives. Today’s release of the monthly Android Nexus Security Bulletin includes patches for another critical vulnerability in Mediaserver, keeping a streak going of consecutive months with serious issues addressed in the software. Flaws in Mediaserver pose serious problems for Android devices because it interacts with a number of applications that can be used to exploit the bug, including MMS and browser media playback features. Versions 5.0, 5.1.1, 6.0 and 6.0.1 are affected, Google said.

“During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corru ption and remote code execution as the mediaserver process,” Google said. Google patched five vulnerabilities, including Mediaserver, that it rated critical, two rated high, and five others rated moderate.The remaining critical flaws were all elevation of privilege issues in the misc-sd driver, the Imagination Technologies driver, Trust zone, the Android kernel and in the Bluetooth implementation.

The misc-sd driver and Imagination Technologies driver issues could malicious apps downloaded to the device to execute code at kernel level, and could result in a permanent compromise that would be addressed only by re-flashing the operating system, Google said.The Trustzone vulnerabilities were found in the Widevine QSEE Trustzone application and would allow the compromise of apps with access to the QSEECOM to execute code in the Trustzone context, Google said. A separate elevation of privilege issue was found in the kernel that would also open the door to malicious apps executing code in the kernel.

Of the two flaws rated High by Google, the one found in the Android Bluetooth component puts personal information at risk. It, Google said, could allow a device paired over Bluetooth to access personal information such as contacts.The other rated high is an information disclosure vulnerability in the kernel that could allow an attacker to bypass security features in the operating system. Google added the flaws could be used to gain elevated privileges such as Signature or SignatureOrSystem.

The remaining vulnerabilities addressed today were rated moderate and include elevation of privilege flaws in the Android Setup Wizard and Wi-Fi, an information disclosure bug in Bouncy Castle crypto APIs, and a denial-of-service flaw in SyncManager. Google also removed SysV IPC from Android because it is not supported in the OS and exposes additional attack surface.

A stored cross-site scripting (XSS) vulnerability in Yahoo Mail that affects more than 300 million email accounts globally was patched earlier this month, bagging a $10,000 bug bounty for the researcher who discovered it.

The flaw allowed malicious JavaScript code to be embedded in a specially formatted email message. The code would be automatically evaluated when the message was viewed. The JavaScript could be used to then compromise the account, change its settings, and forward or send email without the user’s consent.

The potential ramifications of the flaw are noteworthy: The bug affects all versions of Yahoo’s webmail, the second-largest email service worldwide. The mobile app was not affected.

“We provided Yahoo with a proof of concept email that would forward the victim user’s inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits in the wild,” explained Pynnönen.

After a much-publicized “T-Shirtgate” over its bug bounty policies, Yahoo started running its program through the well-known platform, HackerOne.

HackerOne gave an update on researcher participation recently, saying that over the course of 2015, nearly 600 hackers participated in the HackerOne bounty program, submitting approximately 1,500 reports. From this, it resolved 58 valid security vulnerabilities, and awarded bounties for 38 of them. This translated to rewarding 41 unique hackers a total $41,100, with an average payout of $1,082.

As many as 20,000 USB sticks may be left in dirty clothes and handed in to dry cleaners every year, with nearly half never returned, according to new research from security vendor Eset.

The firm surveyed 500 launderettes and dry cleaners around the country and extrapolated its findings based on the 5,839 such businesses nationwide. It found that on average each dry cleaner will find four USBs in dirty laundry—which works out at over 20,000 for the country.

Even worse, some 973 mobile phones are also absentmindedly left behind in pockets and handed in, the study found. What’s more, 45% never get returned to their rightful owner, Eset said. The study highlights the need for organizations to enforce strict policies around data portability—something privacy watchdog the Information Commissioner’s Office (ICO) has been advocating for years. Removable media in particular makes it easy for staff to transfer but also lose sensitive corporate data.

A combination of people, process and technology is often touted as the best way to guard against such shortcomings. That is, better training for staff, strict policies on data transfers and technology to prohibit the downloading of unencrypted sensitive data to removable media. “USB drives are a small convenient means to transfer data from one environment to another; with the right safety measures in place and some good policies, they should be as safe as any data transfer method.

“USB encryption is low cost and if used correctly will protect any private data from prying eyes, plus correctly configured internet security products that scan on insertion of any media will give you a fairly comprehensive protected environment.”USBs and mobile phones aren’t the only thing launderette owners have found in dirty laundry over the past year.000 USBs May Have Been Left

Facebook users should be wary following a spate of malicious ‘Security System Pages’ created by phishers to steal people’s personal data.

Not satisfied with merely securing a user’s login details, these offenders are now intent on forcing them to part with far more sensitive information. As reported in a Malwarebytes blog, one such scam misleads people into believing their account has been reported for ‘abuse’ by other users, warning them their page may be disabled. It asks users to provide their email address/phone number, password and date of birth so their account can be “verified” and to help “do more for security and comfort for everyone”.

Once this stage of the scam is complete, users are asked to ‘upgrade’ their credit card information, with phishers even so bold as to provide a message at the bottom of the page reading “Your payment info will be stored securely and only you can see it on Facebook”. Although many of these types of scam pages have recently been disabled similar ones are likely to crop up again soon, with phishers fully aware just how effective these techniques are in frightening some users into following the malicious instructions they provide. Therefore, people should be extra vigilant for anything that looks out of the ordinary.

“The majority of these fake logins are reached via email, and anytime you’re asked for credentials – or worse, payment information – from a supplied link, you should delete and move on with your day as this just isn’t something any service is in the habit of doing. “Always check the URL on display and look for the green padlock and https notification – virtually all Facebook phishing is done on free webhosts running insecure pages. You should also consider leaving your web browser’s built in phishing detection switched on, as a sizeable portion of fakes are caught by these security measures.” The beliefs are the largest security challenge continues to be social engineering; especially scams like this in email and on web properties that trick end-users into assisting criminals”. He went on to explain that although “best-in-class organizations are actively engaged in threat detection and prevention, and are constantly upgrading legacy defenses” with law enforcement agencies taking “an increasing interest in prosecution”, as is the case with physical-world crime”

Security researchers are warning of a new vulnerability on the eBay platform, which could allow hackers to spread malware and steal personal information. The flaw could allow an attacker to remotely bypass the e-commerce giant’s code validation checks to serve up malicious JavaScript to a victim, according to Check Point.The security vendor claimed that the attack methodology is fairly straightforward.

A hacker first needs to set up an eBay store and then insert malicious code into the product listings page. Punters could then be tricked into opening the page via a pop-up offering them a one-time discount if they download a new ‘eBay mobile app’. Hitting ‘download’ will trigger a download of a malicious app in the background – exposing the user to phishing or further malware downloads. Although eBay prevents users from including scripts or iFrames by filtering out those HTML tags, an attacker can load additional JavaScript from their server using a non-standard technique called “JSF**k.”

Inserting this remotely controllable JavaScript enables the attacker to create multiple payloads for a different user agent. Check Point said it disclosed its findings to eBay on 15 December last year, but on 16 January the trading platform responded that it had no plans to fix it.The security firm and e-commerce platform are now in a stand-off. The latter believes its security controls on active content are sufficient, while Check Point thinks they can be bypassed. Although eBay performs verification checks on code, it only strips alphanumeric characters from inside the script tags, Check Point claimed. The JSF**k technique allows hackers to circumvent this protection by using a very limited and reduced number of characters.

“The eBay attack flow provides cyber-criminals with a very easy way to target users: sending a link to a very attractive product to execute the attack,” said Oded Vanunu, Check Point security research group manager, in a statement. “The main threat is spreading malware and stealing private information.

The skills shortage in IT security is a very real problem, even though companies have become more creative in how they attract talent. But there’s more to consider: A report from AlienVault argues that retaining the talent once acquired should also be a keen focus for HR departments.

“One can hypothesize that companies no longer offer ‘jobs for life,’” said AlienVault security advocate and former 451 security analyst, Javvad Malik, in the report. “Or indeed blame millennials for being self-entitled and lazy workers who need constant baby-sitting.”

But the reality is that the retention concern is common. Only about 65% of participants are happy and content in their current jobs. And even those that say they’re happy admit that the idea of challenging and exciting work would be a motivator to move somewhere else—thus setting up a competitive environment among companies looking to hone their IT security departments.

“Retaining staff can be a fine balancing act that needs the precision of a NASA engineer landing a rocket on a comet,” Malik said. “On one hand employers need to provide appropriate compensation and working environments. While on the other hand, remaining mindful that other companies will make high offers in attempts to acquire the right candidates.”

Also, company culture is a big intangible. “Being unhappy with boss or company culture was an underlying theme across the survey,” Malik said. “Yet, several participants, particularly those in larger organizations, felt a distinction should be made between the company culture and team culture.

“The key is maintaining a fun and rewarding environment,” he stated. “The fun part is deliberate; a lot of folks just leave because they are burned out. They think a new job will alleviate this; often it doesn’t work that way. We had what I called a ‘high rate of recidivism’ in the SOC, which proves this. Operations is tough, it just is.”

Microsoft has announced the latest version of its standalone Windows client security tool EMET, but admitted that Windows 10 contains several features that provide equivalent or even better protection. Redmond announced its Enhanced Mitigation Experience Toolkit (EMET) 5.5 in a blog post on Tuesday, revealing new features including Windows 10 compatibility, improved configuration of mitigations via the Group Policy Object, and support for untrusted fonts mitigation in Windows 10.

Microsoft explained: “EMET was released in 2009 as a standalone tool to help enterprises better protect their Windows clients by providing an interface to manage built-in Windows security mitigations while also providing additional features meant to disrupt known attack vectors used by prevalent malware. Since that time, we have made substantial improvements to the security of the browser and the core OS. With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10.”

The tool is said to be of most use securing “down level systems” and legacy apps, as well as providing “Control Flow Guard (CFG) protection for 3rd party software that may not yet be recompiled using CFG.” According to Microsoft, Windows 10 features which provide as good or better protection than similar in EMET include AppLocker, which prevents the unwanted or unknown apps executing inside the network. Also flagged was Device Guard, which ensures devices only run trusted apps, and can be combined with AppLocker to control which apps from trusted publishers should be allowed to run.

Finally, there’s exploit mitigation feature Control Flow Guard, which will shut down a program if it tries to make an indirect call to an unsafe location. Microsoft added that EMET 5.5 security protections don’t apply to Edge because the new browser is already bristling with advanced security including sandboxing, compiler and memory management features.

The tax collection agency was the target of a malware attack, it said, that allowed the perpetrators to access the electronic tax-return credentials for 101,000 social security numbers. The IRS said that using personal data stolen elsewhere outside the IRS, identity thieves used an automated botnet in an attempt to generate E-file PINs for about 464,000 unique stolen social security numbers. Only just about a quarter were used to successfully access an E-file PIN. An E-file PIN is used in some instances to electronically file a tax return.

“While of great concern, this latest report of a cyber intrusion involving the IRS is not surprising in light of the vast inventory of PII (in particular Social Security numbers) in the hands of hackers as a result of countless breaches in the past few years,” said Adam Levin, chairman and founder of IDT.

Mark Bower, global director of product management for HPE Security-Data Security, said that the attack demonstrates how financially motivated hacks are evolving. “Attackers are very capable of taking data stolen from other sites and using it for secondary attacks to more lucrative systems, as in this case,” said “Hackers are always looking for a way to exploit a system in a way that they can then turn stolen data into cold, hard cash. As this attack points out, there is a clear need to protect personal information like name, full address, phone number and email address so that criminals can’t use the information to open bogus accounts, sell it for use in more targeted larger-scale spear-phishing, steal identities, or as in this case to obtain tax identification information.”

No personal taxpayer data was compromised or disclosed, the IRS said. The IRS faced a high-profile hack last year as well. Cyber-fraudsters in that instance also used data harvested from a source outside the IRS—and went on to pass verification checks needed to access the “Get Transcript” system. This allowed them to be reissued filings and tax returns for previous years on behalf of legit taxpayers—information which could be used to file fraudulent returns early ahead of the 2016 tax year and claim refunds back from the IRS. Originally the IRS said that 114,000 attempts to clear the Get Transcript authentication process were successful and a further 110,000 attempts failed. But a review months later estimated that an additional 220,000 attempts were made where individuals with taxpayer-specific sensitive data cleared the Get Transcript verification process. The review also identified an additional 170,000 suspected attempts that failed to clear the authentication processes.

Anonymous is at the hacktivist game again, this time targeting South African government as part of its #OpAfrica initiative.The group hacked a database within the Government Communications and Information Systems (GCIS) department, leaking names, phone numbers, email addresses and hashed passwords of more than 1,000 government employees.The hackers gained access to an old GCIS portal that hadn’t been updated; South Africa said that the vulnerability has been tracked down and closed. Operation Africa is “a disassembly of corporations and governments that enable and perpetuate corruption on the African continent.” Anonymous said that in particular, the focus is on the issues of child labor and Internet censorship on the continent.

“We are fighting alongside other operations such as OpNigeria and AnonymousSA to help free the continent from the plague of exploitation that has been occurring for centuries,” it said. South African developer Evan Knowles said that government employees made it fairly easy for Anonymous to carry out its work, because those hashed passwords are hardly secure. He said that all of the 1,471 passwords from the GCIS data that Anonymous dumped were hashed using the MD5 function without salt. And, that it was trivial to crack 1,116 of them anyway. “All in all, in the collection of 1116 passwords, there were only 549 unique passwords,” he said. “This included nine passwords which were only one letter long, and 53.1% of the passwords failed a standard, very basic test (contains at least one number, and a minimum length of 6). 29.8% of the passwords contained the word ‘password’. 628 passwords (42.7%) were already in plain text and did not need to be cracked.” Further, 25.2% of users had passwords that were identical to their first name.

Archives

Categories

Meta

ABOUT US

We are committed to provide customers with skilled security, protecting what they value the most. We believe that getting a top quality service at an affordable price is possible. We are constantly motivating and supporting our employees to improve their skills which turns into better service